Episode 17
· 30:24
Pierre Mol (00:00)
Welcome to another episode of the $5 million milestone podcast where Tim and I dive deep into what it really takes to grow and scale a successful MSP business. I'm your host, Pierre Mol. Today we're joined by Roger Williams, the community manager at Kinsta and a true LinkedIn superstar when it comes to staying on top of everything happening in the WordPress world. If you've been following WordPress trends security developments or hosting insights on LinkedIn, you've likely seen Roger's valuable contributions to the community.
And this conversation is particularly important for MSPs because WordPress powers over 40 % of all websites on the internet, which means your clients are more than likely running WordPress sites that need proper security, maintenance, and performance optimization. Roger is going to share insights from Kinsta's front lines about the most common security vulnerabilities they're seeing in 2025, how AI is changing the WordPress security landscape, and why accessibility
isn't just about compliance, it's about performance and conversions. So whether you're currently managing WordPress slides for clients or considering adding WordPress services to your MSP offering, Roger is going to share some actionable insights that could help you protect your clients better while growing your recurring revenue streams. So let's dive in and learn from one of the most connected voices in the WordPress community. With no further ado, hi Roger, welcome to the program again. Great to have you back and yeah, how are you doing today?
Roger Williams (01:17)
I'm doing really great now, Pierre. After that intro, wow, I feel really awesome. Thank you so much for the kind words. Tim, it's great to see you again as well.
Tim Kelsey (01:25)
Yeah, for sure. Pierre's right, you're always at the top of my LinkedIn feed whenever I sign on. So yeah, you're super active in there and it's great to see your posts all over the place.
Roger Williams (01:30)
Awesome.
Excellent, excellent. I'm excited to talk with you guys.
Pierre Mol (01:36)
Yeah, we've seen you connect with so many other marketing agencies and we were one of them we had you on a previous episode where we were also sharing insights for marketing agencies but it's really been impressive to see you grow attending all those conferences. So, we're excited to, bring you back on the show and see where things are. And with with that,
I just want to dive in into our first question and one of the most common security vulnerabilities Kinsta encounters and their clients WordPress sites. And with so many new vulnerabilities, how does Kinsta keep up with all of those threats and trends and what can MSPs learn from that?
Roger Williams (02:13)
Yeah, it's a great question. You know, there's a traditional kind of view of WordPress that it's insecure.
And the amazing thing about WordPress is that there's a lot of different components available to it. So you have WordPress Core, which is the primary software that you download and you install. And that's pretty much everything you need really to start posting. And that is very secure. That code is maintained by a very ⁓ strong group of core committers and is reviewed a lot. Where you start seeing security vulnerabilities in WordPress is in the plugins and the themes.
And this is because the great thing about WordPress is anybody can create a plugin or a theme. And the terrible thing about WordPress is anybody can create a plugin or a theme. And so the code quality just varies widely. And what we're seeing and the industry as a whole is seeing is that plugins are the primary method of security vulnerabilities in WordPress. And so that's where people need to be paying attention a lot.
So there's a few different ways to make sure you're protecting yourself. One is make sure you're using reputable plugins. So there's a lot of different ways to check on that. If the install base is over, let's say 10,000, 50,000 installs.
Probably a pretty good plug-in, but you can still dig in deeper and you know see things like are they maintaining a change log? Can you contact the developer some really basic things that a lot of people just? Overlook because when you're in WordPress and you're looking at plugins all these things just pop up and you just click and install it and you feel like That must be a legitimate plug-in because it was in the repo So you want to be a little bit careful about what you're installing?
And then the second one is you want to make sure you're staying on top of security updates. And the thing about WordPress plugins is there's only one type of WordPress plugin. We don't distinguish between security or just feature updates. And so that means every update is a security update. You just have to assume that it's a security update. So you need to stay on top of updating those plugins and making sure that everything is secure.
As far as how Kinsta stays on top of this, we actually have a full-time team in a malware department, malware and abuse department. And this is just all their job is just to watch the internet for the different posts that come out. There's a lot of different services and companies that provide information about security vulnerabilities. Plug-in developers will provide information. And so our team is always staying up to date as to these different changes.
We're updating our internally built scanner to check for these vulnerabilities. And then when there is a problem, our team is able to help our customers with any issues that they're encountering, and in most cases, just quickly clear out the malware and have everybody back and working nice and quickly and securely. So that was a pretty long answer to a simple question, but security is a serious issue. So I like to talk about it in detail.
Pierre Mol (05:05)
Yeah, that was very, very good, Roger. And very similar to kind of what we're seeing as well. you know, when, when you install WordPress, yeah, at first, you you're maybe you're more involved and you have full control, but over time as, as your WordPress site evolves or your team evolves, you have different people getting involved and asking, Hey, can I install this plugin? Or, you can end up with different people, adding different plugins and, sometimes you have third parties, who come in and who are helping you as an external consultant. And so this is when I think things kind of start going all over the place. And if no one is paying attention, it can quickly kind of get messy in there.
Roger Williams (05:43)
Yeah, and just another quick thing to point out here is there's user roles in WordPress. And a lot of time what happens is, let's say you're the boss of the company and you're like, well, I need to be an administrator for the WordPress site. Well, the reality is you probably don't. Unless you know what you're doing and you're developer, you really should not be an administrator on a WordPress website. You want to minimize how many users are administrators. And the reason for this is, administrators can install plugins. And so if you've got everybody as an administrator, then now everybody is potentially a security hazard for your website. So the user roles in WordPress are set up on purpose for really distinguishing who's doing what on the website. Most people at the company probably just need to be an editor or even just an author, so they're only affecting their posts.
But really very few people should be administrators and that's something that is commonly overlooked and we see security vulnerabilities occur because of that as well.
Pierre Mol (06:41)
Yeah. And we've also seen a lot of security issues coming from small businesses and small business owners as well. we may think, the, hackers are to be going after the big guys and the big enterprises where the big bucks are, but often going through the small business route, essentially allows those guys to get, back up the food chain, so to speak. And so, you know, you're also vulnerable if,
Tim Kelsey (07:07)
Yeah, I was just going to say all of this is really relevant to MSPs I think. We work with a lot of MSPs as their website provider and a lot of them focus on cybersecurity overall, not just for websites, but for their local network and user permissions. All this kind of stuff are things that are very familiar to MSPs. And we've started to see more and more MSPs wanting to get into the website hosting space. I think that's sort of a natural place that their customers turn to their MSP is like, hey, you're the most technical person I know, help me with my website. But not all MSPs grew up in that world and they're not necessarily focused on that. But maybe you could tell us a little bit about if an MSP is looking for a WordPress hosting provider or someone to partner with, what kind of features should they be considering?
With all the options out there. I mean, there's so many hosting options available and how can they tell who's got great security practice, who's gonna help them keep their clients' websites secure and all that stuff that goes on behind the scenes.
Roger Williams (08:12)
Yeah, that's a great question, Tim. Also, to speak to your point about MSPs and their customers assuming that they can do the web hosting, it just makes sense, right? Hey, they're handling servers, web servers. It's all servers. And I think the big difference with web hosting versus the other servers that are handling your internal networks and stuff is that web servers are exposed to the internet, right? Like with most servers, you've got things locked down. There's very few access points. Whereas with a web server, you want everybody to come to your website. And so you have to leave things more open. And so I think there's specialization there that shouldn't be discounted. And especially for an MSP, you know, unless they really want to go down this rabbit hole, finding a partner that specializes in this and has really focused on it, it just seems like a great move to me. And so just, you know, speak specifically for what you should be looking for in a web host.
You know, if you're working with business clients, think stuff like SOC 2 and ISO 27001 certifications are a just a baseline that you should have. So as soon as you go and look at their website, go to their trust page. So we so we have a trust.kinsta.com page. You can see all of our certifications. The reason that these are important, you know, most of the MSPs probably know what I'm talking about, but I'll repeat it anyway. With the SOC 2 certification, mot only is that verifying that technically we're secure, it's also verifying that everybody that works at Kinsta is undergoing regular training to be secure. So like when I log into my computer, there's a whole host of things that I'm following where I'm being careful with PII data, various ⁓ information that I have access to, the different tools that we use are all verified by a third party to make sure that we are secure for our clients and their clients.
And ISO 27001 is a very similar thing. That's definitely more on the technical side. But again, it's making sure that our system administrators are following protocols so that everything is secure from the ground up. After that, let's start talking about logins. So at Kinsta, we enforce two-factor authentication for all customer login accounts to the Kinsta dashboard.
Anymore, that should just be table stakes. again, the MSPs know what I'm talking about here. But with two-factor authentication, you're just adding that extra layer of security so that if somebody is flipping with their password, they've written it down on their desk or something, and somebody now has the password, if they've got two-factor authentication involved, then they're still protected.
So, you know, these little steps ⁓ as far as access go are really important. After that, you know, we've got, like I mentioned, we have a full-time malware and abuse team, so they're always watching for different security threats that are happening. We also have a full-time sys admin and DevOps teams who are also monitoring all of our systems and just really making sure that everything's buttoned up.
And then after that, you know the partnerships that they're working with so we work with very well-known partners ⁓ Everything is built on the Google Cloud platform very well known provider of cloud services around the globe Very secure and then also we work with Cloud flare, which is the leading denial of service, DDoS provider out there and CDN provider. And so we've got really strong partnerships with those companies. And I think that really goes a long way to speaking towards how serious a hosting company is taking security.
Tim Kelsey (11:33)
One thing I want to give a shout out to as well is your frontline support team, because we go to them all the time. When, whenever there's an issue that we can't troubleshoot on our own, or we just can't find the solution to, we just go straight to Kinsta. Someone answers us right away and we're immediately troubleshooting the problem. We're getting escalated to someone else who can go into the side and fix it for us. So just having that is like a security blanket to know that Kinsta is there ready and waiting.
Tim Kelsey (12:01)
to whenever we need that help as well. But I think that's something MSPs would greatly benefit from as well. They might not be the complete experts in all things web, but the Kinsta support team is there to help them out when there's something they don't know how to troubleshoot on their own.
Roger Williams (12:17)
Absolutely, and just to jump in real quick again, thank you so much for bringing up the support team. I feel terrible for having overlooked that a little bit. The support team is number one in my mind. And as MSPs know, the reason that they're an MSP, is because their customers want to be able to talk to somebody who knows what they're talking about. And that's the case with Kinsta support, right? Everybody is a support engineer who knows WordPress.
Roger Williams (12:40)
They understand how managed hosting works. They understand NGINX, the web server that everything runs on, PHP, MySQL. And so when you have an error or an issue, you can come into support and under a two minute response time, you have a person that you're talking to. It's not an endless decision tree or an AI chat bot. It's a person. They immediately start figuring out what you're experiencing, troubleshooting it, getting you an answer. And
One of the underlying philosophies of our support team is we never want to just say it's not our problem. Even if it's out of our scope of support, we really want to do our best to help pinpoint, hey, this is out of our scope. Our system's working. We've verified that. What we've identified is either this plugin or something about your website is having an issue.
And that's where you need to focus on and we'll try and get as much information for you, you know through various methods of investigation you also have access to an APM tool , application performance monitoring tool, where you can find exactly what function and what database queries causing a know delay or whatnot and then you know, if you've got a partner like Pronto, Pronto is gonna jump right in with that information get to work get everything sorted out and get everything high-flying again So you're great point with the support team
Never want to discount that. And I think a really cool feature that I like to highlight about Kinsta support is we're a global company and we're fully remote. And so what that means is anytime you're talking to somebody at Kinsta, it's normal working hours for them. So let's say it's Saturday morning, 2 a.m. the CEO of the organization's calling you because the website's down or having an issue. When you contact Kinsta support, you're talking to somebody
on the other side of the globe, but it's daytime. And what that means is they're happy to be talking to you. I don't discount the effect that graveyard shifts have on people, especially in a support situation. ⁓ great point bringing up support. And yeah, it's a huge factor that you should be looking for. Because as an MSP provider knows, technology is technology.
Roger Williams (14:46)
is it does have problems and you want to have a human on the other side of the line that is talking to you and kind of helping you figure things out.
Tim Kelsey (14:54)
Yeah, it makes me think in the early days of Pronto before we were using Kinsta, we were using another hosting solution that will remain nameless. And I remember complete freak outs on our end where all sites were down and it was just this, it's a disaster when that happens. And if you can't get someone on the phone or on chat immediately who's ready and willing to help.
You just think this is the end of your business and it's insanely stressful. But we've never had anything like that with Kinsta. It's always up and running or if there's a site here or there that has a problem, like you said, the team is there ready to help. Or if it's something that's not a problem with Kinsta, I love that perspective of you're saying, no, we can't help with this, but here's the next place you can go to troubleshoot. It's not just a dead end. No, good luck. It's.
We're doing our best to help out and point you in the right direction so you can resolve this for your client.
Roger Williams (15:50)
100 % and just to jump on there. one other thing to be looking out for if you know when you're evaluating hosting providers, obviously, I think you should go with Kensta right out of the gate. But due diligence is always a smart thing to do. So SLA service. Oh, help me out. service level agreement. Thank you. It's it's morning here still.
Roger Williams (16:09)
At Kinsta it's 99.9 % is our default SLA. If you want additional SLA protection, we have a 99.99%.
But these are the things that you really want to be looking for is, OK, what's in the terms and conditions for SLA? And then what is the recourse so that if there is ⁓ an issue? And at Kinsta, we credit you back. We work with you to make sure if there is an issue, we work with you to make things whole.
But what I always like to remind people is we are not in the business of giving out refunds, right? And so the SLA is something we really do stick to. Like we're not just putting that number out there for marketing. It's, it's a promise to our customers that we will be up and running for you because like you said, Tim, there's nothing more terrifying than a client's website being down even for like a minute, because you know that that means they're losing customers. And so we take that really seriously. We want the sites to be up, we want them to be fast, and obviously we want them to be secure.
Tim Kelsey (17:13)
Yeah, 100%. Changing gears a little bit here, I'd like to move over to everybody's favorite topic recently, which is AI and how that has impacted security, both in good ways of how Kinsta might be using AI to fight threats, but also in bad ways. It opens up new channels and ways for people to attack or inject malware or dual, all sorts of things that they want to try to do to websites.
What's your take on how AI has impacted the WordPress security world?
Roger Williams (17:44)
Yeah, it's a great question. It's very timely question. It's all about AI And we are definitely looking at AI for tools and ways to work with things. And from DevOps to systems to support, what I can tell you is that there is always a man or a woman in the middle at Kinsta.
And what that means is we're not allowing AI to make decisions as far as how the infrastructure works, as far as how support questions are answered. There's always a person that is reviewing it and implementing it. And I think that that is an absolutely critical way to be looking at AI in your business. Trust, but verify, right? These are amazing tools.
They can put out some really convincing answers. They can put out very convincing code, but they can also be very, very wrong. And so we have to be vigilant about reviewing these things. And so at Kinsta, we've got a very open attitude towards AI. We talk about it. We have Slack channels dedicated to talking about AI and how we might utilize it and things like that. But at the end of the day, we're very careful.
to always have a person there checking the work, testing the work, making sure that it's going to be secure and performant and all those things before we implement it. From the other side, from the red teams attacking a side ⁓ of AI, you know, it's been an interesting couple of years. One thing, you know, I will say is that we're seeing more threats coming up quicker because people are able to use these tools to generate more and more threats.
That said, we're not really seeing anything unique or novel ⁓ out of this yet. It's a lot of copycat type work. So it's not really that much different from what we've seen before at this point. But I anticipate that to change and get more sophisticated as we move forward. And again, having that dedicated malware and abuse team and another dedicated security team always looking at these threats and always analyzing what's on the horizon, what's coming next, and really staying ahead of it is absolutely critical. And I think, again, tying back into our partnerships with Google and Cloudflare, these are both leading edge companies looking at these threats as well. And we work with them as partners to make sure that our customers are getting everything that they need.
Tim Kelsey (20:04)
Yeah, that's really interesting. It kind of sounds like Kinsta's approach to AI is similar to where we're at with AI as well. Yeah, we talk about it all the time in our team meetings. We're sharing ideas of how we've used it to become more efficient, but there always must be a human element there. AI is not at this point yet where it's just going to run and do everything. And I think it's still a ways away from that. So, yeah, we want to be experimenting with it, but
We still want our clients to feel like they're talking to a human, that a human has thought through their request and done the thing, even if it requires reading between the lines, where AI might just give you a straight answer that misinterpreted something. So it's interesting that we're, seems like we're kind of at the same place there. It's a fun, not a fun tool, a helpful tool, but I guess fun also. But it's not something that I think is at a point where it's replacing any of the processes or the critical thinking that real people do to make sure work gets done correctly.
Roger Williams (21:04)
Yeah, absolutely. And kind of like continue on that thread a little bit. You know, I think there's a ton of hype in the AI right now, right? I mean, these are massive companies. They're spending a ton of money. And so naturally, they're going to be hyping up AGI and, you know, these amazing advances that are just over the horizon.
And, you know, I'm on a, I think, at Kinsta and personally, also, I'm on a wait and see approach, right? Like I want to, I want to play with the tools. I want to test them out. But so far, none of it has convinced me that I can just hit play and, go have some cocktails. I need to be paying attention. I still need to do work. It's helping me to work maybe faster. It's helping me to find an answer maybe quicker, but I still need to be looking at it. And our experts still need to be looking at the output and
and testing it rigorously. And so I'm excited to hear Pronto is having the same approach. Great minds think alike. What can you say?
Tim Kelsey (21:57)
Yeah, exactly.
Pierre Mol (21:59)
Yeah, like you said, it's really the speed factor, is really causing challenges or helping you out one way or the other. And we've definitely seen a lot of those, know, other vulnerabilities, alerts coming in, and it feels like they're coming in faster every day. So for sure, there's a lot of challenges there.
Moving on beyond security, when we've talked a lot about, you know, security challenges in WordPress, but, you know, there's more to WordPress than just security. There's your overall maintenance. And then there are other elements that are coming up lately a lot, which is accessibility, right? And so like,
Roger Williams (22:34)
Yes.
Pierre Mol (22:35)
And kind of beyond so that compliance element, how does building an accessible WordPress website directly impacts its overall performance and conversion rates? And essentially, it's kind of looking at how all those technical challenges across the board then impact your SEO and then eventually your conversions and the leads you get and your bottom line at the end of the day.
Roger Williams (22:58)
Yeah, no, absolutely. I accessibility is a really fascinating topic. As I'm getting older, accessibility is just becoming more important to me, right? I mean, my eyesight is not what it used to be. My hearing is not what it used to be. And so having websites that are accessible, yes, it immediately impacts anybody with a real disability, right? It's somebody who can't see or hear. Having an accessible website goes from zero to one.
Right, the classic adage of like actually creating a customer. But we should expand our horizons and consider everybody else, right? Like at different points in our lives, people are going to have injuries. As we age out, we're going to have reduced capabilities. And so an accessible website answers the call to all of the customers, right? And what we see is that
the conversions go up on an accessible website, which just makes sense. You've got the people, 8 % I think of the global population is considered disabled. So you're actually creating customers out of those people who before they couldn't even use your website.
And then for the rest of us, having better contrast of colors, being able to see the checkout button, having alt text so that when I can't, maybe the image isn't loading or something, there's at least some placeholder text that's telling me what the image is about. All of these things contribute to more click through rates, longer time on page.
And so backing up a second, so that's from the person side, the human side, right? The website is easier to use. From the technical side, you've now got a semantic markup. So when the bots come and crawl your website from Google and Bing and these other search engines, they're more easily able to identify what the page is about and therefore rank it appropriately. The knock on effect and something that was just brought up to me by an SEO expert recently,
The knock-on effect is that now, yes, the search engine is ranking the site higher because it's marked up correctly. But we also know that Google tracks time on page, bounce rate, how deep into the pages you go.
And so once I now go to your website and it's accessible, the human element now takes over again and I'm spending more time on your site. I'm clicking through to more things on your site and all of that data is going back to Google, further increasing your search engine rankings. And so there's so much to accessibility and yes, you brought up there's compliance issues, especially the EU next month in June of 2025.
the hammer's coming down, right? They're gonna have a lot of legislation and regulation. And so in the EU, you've got to, if you're doing business in the EU, you're gonna have to be paying attention to accessibility. In the US right now, we don't yet have that at the federal level. We're seeing a lot of states do a lot of work around accessibility and inevitably, it's going to be at the federal level. Maybe not in the next four years, but it's definitely coming.
as it should, right? I think, you know, we put in ramps to the grocery store decades ago, right? So that wheelchair people could access the grocery store. And what we see is that when those ramps are installed, normal people are using them. Mothers with baby carriages, you know, people that just, you maybe they've got a cane, a ramp is much easier. And so again, it's that knock on effect of
If we make it accessible to everybody, it helps all of us. so accessibility, can talk about for days, but I'm a big proponent for it. And I think when you're trying to make the case to the business owners, executives, stakeholders, whoever, you should really be expanding well beyond the idea of compliance, right? The stick only takes you so far. It's the carrot that really gets you there.
And what we see is when a site's accessible, it generates more revenue. Customers are happier to be there. When they see that it's accessible, there's studies that are showing that people recognize when a site is accessible and they're happier with that brand. So it's an immediate reflection on your branding. And again, yeah, I could go on for days about accessibility, but big, big proponent.
Pierre Mol (27:06)
Those are some really good points that you're making and not just focusing on that compliance aspect, but really how you're improving your site overall. And I think what's quite interesting about that topic as well is that it's a fairly technical one, but it really impacts as well, not just developers, but designers as well. And so it kind of speaks to the complexity of WordPress as a whole and how you need to have a wide set of expertise in order to really make your
your WordPress site perform to the max. And I think this is where having the right partners and having partners that specialize in WordPress like you guys is really helpful. Cause you guys are paying attention to those things that our developers or designers are going to care about. And then you can really make it work as a complete solution. And that's where I think we found it really awesome working with you guys and have seen a lot of success.
Roger Williams (27:58)
Yeah, and you know, just to kind of put a little more onto this point, right? So at Kinsta, we're hosting the website. We'll host however you want to do it. If you want to make it accessible, great. If you don't, great. Or not great, but we'll host it. But this is where partners like Pronto come in, right? You guys are coming in from the ground up with accessibility in mind. And from everything that we've seen, all the studies that have been done, the ad hoc conversations we've had with customers over the years is that when
When you take accessibility into the design process from the very beginning, A) it means that you're going to have a better design at the end, but it also means you're going to save money, you're going to save time, because everything is baked in at the beginning of that process. We learned this over 10 years ago now, maybe, I mean, we're getting close to 20 years of a responsive web like we learned this when mobile came out is you've got to have a responsive website. Otherwise, I'm just not even the back button. I can't hit fast enough, right? And I think the next stage of this is accessibility because responsive design is accessibility, right? So and so I think we're going to see more focus on this moving forward. And I think having a solid partner like Pronto to help you help your customers kind of go through this design process and really understand from the basic level what it means to be accessible from the start is invaluable.
Pierre Mol (29:18)
Yeah, absolutely. Well, thanks so much for sharing all of this with us, Roger. If our listeners want to connect with you, what's the best way to reach you?
Roger Williams (29:25)
man, you guys hit it at the beginning of this. I love LinkedIn. Find me on there. I'm Roger Williams Media is the forward slash. And like you said, I'm posting videos all the time. So you should see a video that I've posted recently. Reach out, say hi. I accept pretty much all the connection requests. And then, yeah, let's see what we can talk about. I'll be at a bunch of Word Camps, WordCamp EU, WordCamp US, some local WordCamps, WordCamp Canada. So, you know, if you're at a WordCamp and you see me, grab me and say hi and let's talk.
Pierre Mol (29:58)
Awesome. Yeah, definitely check out Roger's LinkedIn. You won't regret it. And as always, if this episode helped you think differently about WordPress security and MSP service offerings, please subscribe to the $5 million milestone podcast, leave us a review and share this with another MSP owner who's navigating the complexities of WordPress management. Until next time, keep focusing on the strategic partnerships, stay ahead of security trends and keep chasing that $5 million milestone.
Listen to The $5 Million Milestone using one of many popular podcasting apps or directories.